Promote rpki-generate-root-certificate to supported status.

svn path=/branches/tk705/; revision=6264

4 files changed, 74 insertions, 63 deletions

diff --git a/buildtools/debian-skeleton/rpki-rp.install b/buildtools/debian-skeleton/rpki-rp.install
index f1db3570..8490936a 100644
--- a/buildtools/debian-skeleton/rpki-rp.install
+++ b/buildtools/debian-skeleton/rpki-rp.install
@@ -4,6 +4,7 @@ etc/xinetd.d/rpki-rtr
 usr/bin
 usr/lib/python2.7
 usr/sbin/rpki-confgen
+usr/sbin/rpki-generate-root-certificate
 usr/sbin/rpki-manage
 usr/sbin/rpki-sql-backup
 usr/sbin/rpki-sql-setup
diff --git a/potpourri/generate-root-certificate b/potpourri/generate-root-certificate
deleted file mode 100755
index 31647d5f..00000000
--- a/potpourri/generate-root-certificate
+++ /dev/null
@@ -1,62 +0,0 @@
-#!/usr/bin/env python
-
-"""
-Generate an RPKI root certificate for rootd.  In most cases you should
-not need to do this; see caveats in the manual about running rootd if
-you think you need this.  This script does nothing that can't also be
-done with the OpenSSL command line tool, but on some platforms the
-installed copy of openssl doesn't understand the RFC 3779 extensions.
-"""
-
-import os
-import sys
-import time
-import argparse
-import rpki.x509
-import rpki.config
-import rpki.sundial
-import rpki.resource_set
-
-os.environ["TZ"] = "UTC"
-time.tzset()
-
-parser = argparse.ArgumentParser(description = __doc__)
-parser.add_argument("-c", "--config",                          help = "configuration file")
-parser.add_argument("-a", "--asns",  default = "0-4294967295", help = "ASN resources")
-parser.add_argument("-4", "--ipv4",  default = "0.0.0.0/0",    help = "IPv4 resources")
-parser.add_argument("-6", "--ipv6",  default = "::/0",         help = "IPv6 resources")
-parser.add_argument("--certificate", default = "root.cer",     help = "certificate file")
-parser.add_argument("--key",         default = "root.key",     help = "key file")
-parser.add_argument("--tal",         default = "root.tal",     help = "TAL file")
-args = parser.parse_args()
-
-cfg = rpki.config.parser(args.config, "rootd")
-
-resources = rpki.resource_set.resource_bag(
-  asn = rpki.resource_set.resource_set_as(args.asns),
-  v4  = rpki.resource_set.resource_set_ipv4(args.ipv4),
-  v6  = rpki.resource_set.resource_set_ipv6(args.ipv6))
-
-keypair = rpki.x509.RSA.generate(quiet = True)
-
-sia = cfg.get("rpki-base-uri")
-sia = (sia, sia + "root.mft", None)
-
-uri = cfg.get("rpki-root-cert-uri")
-
-cert = rpki.x509.X509.self_certify(
-  keypair     = keypair,
-  subject_key = keypair.get_public(),
-  serial      = 1,
-  sia         = sia,
-  notAfter    = rpki.sundial.now() + rpki.sundial.timedelta(days = 365),
-  resources   = resources)
-
-with open(args.certificate, "wb") as f:
-  f.write(cert.get_DER())
-
-with open(args.key, "wb") as f:
-  f.write(keypair.get_DER())
-
-with open(args.tal, "w") as f:
-  f.write(uri + "\n\n" + keypair.get_public().get_Base64())
diff --git a/rp/config/rpki-generate-root-certificate b/rp/config/rpki-generate-root-certificate
new file mode 100755
index 00000000..28bb1836
--- /dev/null
+++ b/rp/config/rpki-generate-root-certificate
@@ -0,0 +1,71 @@
+#!/usr/bin/env python
+
+"""
+Generate an RPKI root certificate for rootd.  In most cases you should
+not need to do this; see caveats in the manual about running rootd if
+you think you need this.  This script does nothing that can't also be
+done with the OpenSSL command line tool, but on some platforms the
+installed copy of openssl doesn't understand the RFC 3779 extensions.
+"""
+
+import os
+import sys
+import pwd
+import time
+import rpki.x509
+import rpki.config
+import rpki.sundial
+import rpki.autoconf
+import rpki.resource_set
+
+os.environ["TZ"] = "UTC"
+time.tzset()
+
+cfg, parser = rpki.config.argparser(section = "rootd", doc = __doc__)
+parser.add_argument("-a", "--asns",  help = "ASN resources",    default = "0-4294967295")
+parser.add_argument("-4", "--ipv4",  help = "IPv4 resources",   default = "0.0.0.0/0")
+parser.add_argument("-6", "--ipv6",  help = "IPv6 resources",   default = "::/0")
+parser.add_argument("--certificate", help = "certificate file", default = cfg.get("rpki-root-cert-file", "root.cer"))
+parser.add_argument("--key",         help = "key file",         default = cfg.get("rpki-root-key-file",  "root.key"))
+parser.add_argument("--tal",         help = "TAL file",         default = "root.tal")
+args = parser.parse_args()
+
+resources = rpki.resource_set.resource_bag(
+  asn = rpki.resource_set.resource_set_as(args.asns),
+  v4  = rpki.resource_set.resource_set_ipv4(args.ipv4),
+  v6  = rpki.resource_set.resource_set_ipv6(args.ipv6))
+
+keypair = rpki.x509.RSA.generate(quiet = True)
+
+sia = (cfg.get("rpki_base_uri") + "/",
+       cfg.get("rpki-root-manifest-uri"),
+       None,
+       cfg.get("publication_rrdp_notification_uri", section = "myrpki"))
+
+uris = (cfg.get("rpki-root-cert-uri"),
+        cfg.get("publication_rrdp_base_uri", section = "myrpki") + "root.cer")
+
+cert = rpki.x509.X509.self_certify(
+  keypair     = keypair,
+  subject_key = keypair.get_public(),
+  serial      = 1,
+  sia         = sia,
+  notAfter    = rpki.sundial.now() + rpki.sundial.timedelta(days = 365),
+  resources   = resources)
+
+with open(args.certificate, "wb") as f:
+  f.write(cert.get_DER())
+
+with open(args.tal, "w") as f:
+  for uri in uris:
+    f.write(uri + "\n")
+  f.write(keypair.get_public().get_Base64())
+
+with os.fdopen(os.open(args.key, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0400), "w") as f:
+  f.write(keypair.get_DER())
+
+try:
+  pw = pwd.getpwnam(rpki.autoconf.RPKI_USER)
+  os.chown(args.key, pw.pw_uid, pw.pw_gid)
+except:
+  pass
diff --git a/setup.py b/setup.py
index 65d8e654..68cab34a 100644
--- a/setup.py
+++ b/setup.py
@@ -93,7 +93,8 @@ if autoconf.RP_TARGET == "rp":
                  ["rp/config/rpki-confgen",
                   "rp/config/rpki-sql-backup",
                   "rp/config/rpki-sql-setup",
-                  "rp/config/rpki-manage"])]
+                  "rp/config/rpki-manage",
+                  "rp/config/rpki-generate-root-certificate"])]
 
 if autoconf.CA_TARGET == "ca":